Week 3
(June,15,2023)
Updates:
This week, my work on the project primarily involved three main components:
- Researching and studying the details of CycloneDX reports:
- I explored into the CycloneDX schema, which helped me understand the specific data that can and cannot be included in the reports generated by FOSSology.
- Additionally, I successfully mapped the required data fields between SPDX and CycloneDX reports.
- Generating a CycloneDX report:
- I focused on generating the report in JSON format, and I accomplished this task successfully.
- Here is an example of the report generated:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 0,
"$schema": "https://cyclonedx.org/schema/bom/1.4/schema.json",
"serialNumber": "urn:uuid:BomRef.6-4881-a807-a47d-7.16459827",
"metadata": {
"timestamp": "2023-06-13T12:58:00+05:30",
"tools": [
{
"vendor": "FOSSology",
"name": "FOSSology",
"version": "1.0.0"
}
]
},
"components": [
{
"type": "file",
"name": "File 1",
"mime-type": "application/octet-stream",
"bom-ref": "ABCDEF123",
"supplier": {
"name": "Supplier 1",
"url": [],
"contact": []
}
"scope": "required",
"hashes": [],
"licenses": [
{
"license": {
"id": "License1",
"name": "License 1",
"text": {
"content": "TGljZW5zZSB0ZXh0IDE=",
"contentType": "text/plain",
"encoding": "base64"
},
"url": "https://example.com/license1"
},
"expression": "License expression 1"
},
{
"license": {
"id": "License2",
"name": "License 2",
"text": {
"content": "TGljZW5zZSB0ZXh0IDI=",
"contentType": "text/plain",
"encoding": "base64"
},
"url": "https://example.com/license2"
},
"expression": "License expression 2"
}
],
"copyright": "Copyright 1"
},
{
"type": "file",
"name": "File 2",
"mime-type": "application/octet-stream",
"bom-ref": "ABCDEF456",
"supplier": {
"name": "Supplier 2",
"url": [],
"contact": []
},
"scope": "required",
"hashes": [],
"licenses": [
{
"license": {
"id": "License3",
"name": "License 3",
"text": {
"content": "TGljZW5zZSB0ZXh0IDM=",
"contentType": "text/plain",
"encoding": "base64"
},
"url": "https://example.com/license3"
},
"expression": "License expression 3"
}
],
"copyright": "Copyright 2"
}
]
}- It's important to note that the data in the above report is not sourced from FOSSology. However, all the fields can be populated with data from the FOSSology database.
- The report primarily emphasizes the components of an upload. While the
CycloneDX specification
allows for various types of components such as
Application
,Container
,Device
,Library
,File
,Firmware
,Framework
, andOperating System
, we only need to includeFile
components in FOSSology reports.
- Validating the report:
- I developed a simple PHP code that can be utilized to validate the report against the CycloneDX schema.
- Here is the function that validates the report:
function validateJSONAgainstSchema($jsonFile, $schemaFile)
{
$jsonString = file_get_contents($jsonFile);
$schemaString = file_get_contents($schemaFile);
$jsonData = json_decode($jsonString);
$schemaData = json_decode($schemaString);
$validator = new Validator();
$validator->validate($jsonData, $schemaData);
if (!$validator->isValid()) {
$errors = array_map(function ($error) {
return $error['property'] . ': ' . $error['message'];
}, $validator->getErrors());
return $errors;
}
return true;
}
Conclusion and further plans:
- In the upcoming weeks, I will work on CycloneDX agent implementation in FOSSology.